PyPI - sraverify - Versions diffs - 0.1.0__py3-none-any.whl - Mend

sraverify 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

sraverify/__init__.py +36 -0
sraverify/checks/__init__.py +56 -0
sraverify/checks/accessanalyzer/SRA_IAA_1.py +188 -0
sraverify/checks/accessanalyzer/SRA_IAA_2.py +162 -0
sraverify/checks/accessanalyzer/SRA_IAA_3.py +260 -0
sraverify/checks/accessanalyzer/SRA_IAA_4.py +207 -0
sraverify/checks/accessanalyzer/__init__.py +3 -0
sraverify/checks/cloudtrail/SRA-CT-1.py +220 -0
sraverify/checks/cloudtrail/SRA-CT-10.py +229 -0
sraverify/checks/cloudtrail/SRA-CT-11.py +242 -0
sraverify/checks/cloudtrail/SRA-CT-12.py +163 -0
sraverify/checks/cloudtrail/SRA-CT-13.py +279 -0
sraverify/checks/cloudtrail/SRA-CT-2.py +218 -0
sraverify/checks/cloudtrail/SRA-CT-3.py +196 -0
sraverify/checks/cloudtrail/SRA-CT-4.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-5.py +200 -0
sraverify/checks/cloudtrail/SRA-CT-6.py +161 -0
sraverify/checks/cloudtrail/SRA-CT-7.py +194 -0
sraverify/checks/cloudtrail/SRA-CT-8.py +226 -0
sraverify/checks/cloudtrail/SRA-CT-9.py +226 -0
sraverify/checks/cloudtrail/__init__.py +3 -0
sraverify/checks/config/SRA-CONFIG-1.py +197 -0
sraverify/checks/config/__init__.py +3 -0
sraverify/core/__init__.py +3 -0
sraverify/core/check.py +227 -0
sraverify/core/logging.py +37 -0
sraverify/core/session.py +47 -0
sraverify/lib/__init__.py +4 -0
sraverify/lib/audit_info.py +37 -0
sraverify/lib/banner.py +42 -0
sraverify/lib/check_loader.py +80 -0
sraverify/lib/org_mgmt_checker.py +86 -0
sraverify/lib/outputs.py +46 -0
sraverify/lib/progress.py +75 -0
sraverify/lib/regions.py +27 -0
sraverify/lib/session.py +23 -0
sraverify/main.py +350 -0
sraverify/services/__init__.py +3 -0
sraverify/services/accessanalyzer/__init__.py +15 -0
sraverify/services/accessanalyzer/base.py +123 -0
sraverify/services/accessanalyzer/checks/__init__.py +3 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_01.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_02.py +82 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_03.py +103 -0
sraverify/services/accessanalyzer/checks/sra_accessanalyzer_04.py +139 -0
sraverify/services/accessanalyzer/client.py +123 -0
sraverify/services/account/__init__.py +9 -0
sraverify/services/account/base.py +56 -0
sraverify/services/account/checks/__init__.py +1 -0
sraverify/services/account/checks/sra_account_01.py +65 -0
sraverify/services/account/checks/sra_account_02.py +63 -0
sraverify/services/account/checks/sra_account_03.py +63 -0
sraverify/services/account/client.py +51 -0
sraverify/services/auditmanager/__init__.py +10 -0
sraverify/services/auditmanager/base.py +72 -0
sraverify/services/auditmanager/checks/__init__.py +1 -0
sraverify/services/auditmanager/checks/sra_auditmanager_01.py +58 -0
sraverify/services/auditmanager/checks/sra_auditmanager_02.py +80 -0
sraverify/services/auditmanager/client.py +58 -0
sraverify/services/cloudtrail/__init__.py +33 -0
sraverify/services/cloudtrail/base.py +167 -0
sraverify/services/cloudtrail/checks/__init__.py +1 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_01.py +83 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_02.py +99 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_03.py +94 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_04.py +92 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_05.py +106 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_06.py +93 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_07.py +96 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_08.py +145 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_09.py +167 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_10.py +162 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_11.py +178 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_12.py +77 -0
sraverify/services/cloudtrail/checks/sra_cloudtrail_13.py +120 -0
sraverify/services/cloudtrail/client.py +118 -0
sraverify/services/config/__init__.py +25 -0
sraverify/services/config/base.py +249 -0
sraverify/services/config/checks/__init__.py +1 -0
sraverify/services/config/checks/sra_config_01.py +123 -0
sraverify/services/config/checks/sra_config_02.py +156 -0
sraverify/services/config/checks/sra_config_03.py +149 -0
sraverify/services/config/checks/sra_config_04.py +104 -0
sraverify/services/config/checks/sra_config_05.py +104 -0
sraverify/services/config/checks/sra_config_06.py +194 -0
sraverify/services/config/checks/sra_config_07.py +162 -0
sraverify/services/config/checks/sra_config_08.py +185 -0
sraverify/services/config/checks/sra_config_09.py +177 -0
sraverify/services/config/client.py +264 -0
sraverify/services/ec2/__init__.py +8 -0
sraverify/services/ec2/base.py +75 -0
sraverify/services/ec2/checks/__init__.py +1 -0
sraverify/services/ec2/checks/sra_ec2_01.py +83 -0
sraverify/services/ec2/client.py +63 -0
sraverify/services/firewallmanager/__init__.py +23 -0
sraverify/services/firewallmanager/base.py +48 -0
sraverify/services/firewallmanager/checks/__init__.py +1 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_01.py +75 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_02.py +57 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_03.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_04.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_05.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_06.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_07.py +51 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_08.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_09.py +61 -0
sraverify/services/firewallmanager/checks/sra_firewallmanager_10.py +71 -0
sraverify/services/firewallmanager/client.py +40 -0
sraverify/services/guardduty/__init__.py +58 -0
sraverify/services/guardduty/base.py +207 -0
sraverify/services/guardduty/checks/__init__.py +3 -0
sraverify/services/guardduty/checks/sra_guardduty_01.py +51 -0
sraverify/services/guardduty/checks/sra_guardduty_02.py +80 -0
sraverify/services/guardduty/checks/sra_guardduty_03.py +77 -0
sraverify/services/guardduty/checks/sra_guardduty_04.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_05.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_06.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_07.py +85 -0
sraverify/services/guardduty/checks/sra_guardduty_08.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_09.py +84 -0
sraverify/services/guardduty/checks/sra_guardduty_10.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_11.py +93 -0
sraverify/services/guardduty/checks/sra_guardduty_12.py +83 -0
sraverify/services/guardduty/checks/sra_guardduty_13.py +90 -0
sraverify/services/guardduty/checks/sra_guardduty_14.py +136 -0
sraverify/services/guardduty/checks/sra_guardduty_15.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_16.py +94 -0
sraverify/services/guardduty/checks/sra_guardduty_17.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_18.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_19.py +91 -0
sraverify/services/guardduty/checks/sra_guardduty_20.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_21.py +112 -0
sraverify/services/guardduty/checks/sra_guardduty_22.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_23.py +154 -0
sraverify/services/guardduty/checks/sra_guardduty_24.py +111 -0
sraverify/services/guardduty/checks/sra_guardduty_25.py +111 -0
sraverify/services/guardduty/client.py +107 -0
sraverify/services/inspector/__init__.py +29 -0
sraverify/services/inspector/base.py +233 -0
sraverify/services/inspector/checks/__init__.py +3 -0
sraverify/services/inspector/checks/sra_inspector_01.py +69 -0
sraverify/services/inspector/checks/sra_inspector_02.py +68 -0
sraverify/services/inspector/checks/sra_inspector_03.py +68 -0
sraverify/services/inspector/checks/sra_inspector_04.py +70 -0
sraverify/services/inspector/checks/sra_inspector_05.py +69 -0
sraverify/services/inspector/checks/sra_inspector_06.py +115 -0
sraverify/services/inspector/checks/sra_inspector_07.py +109 -0
sraverify/services/inspector/checks/sra_inspector_08.py +69 -0
sraverify/services/inspector/checks/sra_inspector_09.py +69 -0
sraverify/services/inspector/checks/sra_inspector_10.py +69 -0
sraverify/services/inspector/checks/sra_inspector_11.py +69 -0
sraverify/services/inspector/client.py +99 -0
sraverify/services/macie/__init__.py +27 -0
sraverify/services/macie/base.py +271 -0
sraverify/services/macie/checks/__init__.py +1 -0
sraverify/services/macie/checks/sra_macie_01.py +100 -0
sraverify/services/macie/checks/sra_macie_02.py +102 -0
sraverify/services/macie/checks/sra_macie_03.py +152 -0
sraverify/services/macie/checks/sra_macie_04.py +120 -0
sraverify/services/macie/checks/sra_macie_05.py +85 -0
sraverify/services/macie/checks/sra_macie_06.py +124 -0
sraverify/services/macie/checks/sra_macie_07.py +138 -0
sraverify/services/macie/checks/sra_macie_08.py +82 -0
sraverify/services/macie/checks/sra_macie_09.py +103 -0
sraverify/services/macie/checks/sra_macie_10.py +81 -0
sraverify/services/macie/client.py +220 -0
sraverify/services/s3/__init__.py +16 -0
sraverify/services/s3/base.py +69 -0
sraverify/services/s3/checks/__init__.py +1 -0
sraverify/services/s3/checks/sra_s3_01.py +89 -0
sraverify/services/s3/checks/sra_s3_02.py +89 -0
sraverify/services/s3/checks/sra_s3_03.py +88 -0
sraverify/services/s3/checks/sra_s3_04.py +88 -0
sraverify/services/s3/client.py +52 -0
sraverify/services/securityhub/__init__.py +27 -0
sraverify/services/securityhub/base.py +349 -0
sraverify/services/securityhub/checks/__init__.py +1 -0
sraverify/services/securityhub/checks/sra_securityhub_01.py +115 -0
sraverify/services/securityhub/checks/sra_securityhub_02.py +114 -0
sraverify/services/securityhub/checks/sra_securityhub_03.py +136 -0
sraverify/services/securityhub/checks/sra_securityhub_04.py +75 -0
sraverify/services/securityhub/checks/sra_securityhub_05.py +102 -0
sraverify/services/securityhub/checks/sra_securityhub_06.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_07.py +121 -0
sraverify/services/securityhub/checks/sra_securityhub_08.py +113 -0
sraverify/services/securityhub/checks/sra_securityhub_09.py +100 -0
sraverify/services/securityhub/checks/sra_securityhub_10.py +94 -0
sraverify/services/securityhub/checks/sra_securityhub_11.py +73 -0
sraverify/services/securityhub/client.py +249 -0
sraverify/services/securityincidentresponse/__init__.py +13 -0
sraverify/services/securityincidentresponse/base.py +95 -0
sraverify/services/securityincidentresponse/checks/__init__.py +1 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_01.py +77 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_02.py +72 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_03.py +86 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_04.py +117 -0
sraverify/services/securityincidentresponse/checks/sra_securityincidentresponse_05.py +55 -0
sraverify/services/securityincidentresponse/client.py +71 -0
sraverify/services/securitylake/__init__.py +39 -0
sraverify/services/securitylake/base.py +461 -0
sraverify/services/securitylake/checks/__init__.py +1 -0
sraverify/services/securitylake/checks/sra_securitylake_01.py +98 -0
sraverify/services/securitylake/checks/sra_securitylake_02.py +133 -0
sraverify/services/securitylake/checks/sra_securitylake_03.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_04.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_05.py +116 -0
sraverify/services/securitylake/checks/sra_securitylake_06.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_07.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_08.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_09.py +107 -0
sraverify/services/securitylake/checks/sra_securitylake_10.py +106 -0
sraverify/services/securitylake/checks/sra_securitylake_11.py +109 -0
sraverify/services/securitylake/checks/sra_securitylake_12.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_13.py +108 -0
sraverify/services/securitylake/checks/sra_securitylake_14.py +72 -0
sraverify/services/securitylake/checks/sra_securitylake_15.py +120 -0
sraverify/services/securitylake/checks/sra_securitylake_16.py +104 -0
sraverify/services/securitylake/checks/sra_securitylake_17.py +103 -0
sraverify/services/securitylake/client.py +247 -0
sraverify/services/shield/__init__.py +33 -0
sraverify/services/shield/base.py +199 -0
sraverify/services/shield/checks/__init__.py +1 -0
sraverify/services/shield/checks/sra_shield_01.py +68 -0
sraverify/services/shield/checks/sra_shield_02.py +77 -0
sraverify/services/shield/checks/sra_shield_03.py +84 -0
sraverify/services/shield/checks/sra_shield_04.py +84 -0
sraverify/services/shield/checks/sra_shield_05.py +84 -0
sraverify/services/shield/checks/sra_shield_06.py +84 -0
sraverify/services/shield/checks/sra_shield_07.py +84 -0
sraverify/services/shield/checks/sra_shield_08.py +69 -0
sraverify/services/shield/checks/sra_shield_09.py +86 -0
sraverify/services/shield/checks/sra_shield_10.py +100 -0
sraverify/services/shield/checks/sra_shield_11.py +71 -0
sraverify/services/shield/checks/sra_shield_12.py +130 -0
sraverify/services/shield/checks/sra_shield_13.py +112 -0
sraverify/services/shield/checks/sra_shield_14.py +111 -0
sraverify/services/shield/client.py +214 -0
sraverify/services/waf/__init__.py +21 -0
sraverify/services/waf/base.py +100 -0
sraverify/services/waf/checks/__init__.py +1 -0
sraverify/services/waf/checks/sra_waf_01.py +63 -0
sraverify/services/waf/checks/sra_waf_02.py +82 -0
sraverify/services/waf/checks/sra_waf_03.py +123 -0
sraverify/services/waf/checks/sra_waf_04.py +94 -0
sraverify/services/waf/checks/sra_waf_05.py +94 -0
sraverify/services/waf/checks/sra_waf_06.py +91 -0
sraverify/services/waf/checks/sra_waf_07.py +94 -0
sraverify/services/waf/checks/sra_waf_08.py +66 -0
sraverify/services/waf/checks/sra_waf_09.py +95 -0
sraverify/services/waf/client.py +109 -0
sraverify/utils/__init__.py +3 -0
sraverify/utils/banner.py +65 -0
sraverify/utils/outputs.py +57 -0
sraverify/utils/progress.py +97 -0
sraverify-0.1.0.dist-info/LICENSE +175 -0
sraverify-0.1.0.dist-info/METADATA +516 -0
sraverify-0.1.0.dist-info/NOTICE +1 -0
sraverify-0.1.0.dist-info/RECORD +261 -0
sraverify-0.1.0.dist-info/WHEEL +5 -0
sraverify-0.1.0.dist-info/entry_points.txt +2 -0
sraverify-0.1.0.dist-info/top_level.txt +1 -0

sraverify/services/shield/checks/sra_shield_06.py ADDED Viewed

@@ -0,0 +1,84 @@
+"""
+Check if Shield Advanced is configured for Route 53 hosted zones.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_06(ShieldCheck):
+    """Check if Shield Advanced is configured for Route 53 hosted zones."""
+    def __init__(self):
+        """Initialize Shield Advanced Route 53 protection check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-06"
+        self.check_name = "Shield Advanced is configured for Route 53 hosted zones"
+        self.description = ("This check verifies that AWS Shield Advanced is protecting "
+                            "at least one Route 53 hosted zone.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and filter by Route 53 ARNs. "
+                            "Check fails if no Route 53 hosted zones are protected.")
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for Route 53 hosted zones by checking ResourceArn
+            route53_protections = [
+                p for p in protections["Protections"]
+                if "route53" in p.get("ResourceArn", "").lower() and "hostedzone" in p.get("ResourceArn", "").lower()
+            ]
+            if route53_protections:
+                protected_count = len(route53_protections)
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:route53-protections",
+                    actual_value=f"{protected_count} Route 53 hosted zone(s) protected",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Route 53 hosted zones protected",
+                    remediation="Enable Shield Advanced protection for Route 53 hosted zones in the AWS Shield console"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Route 53 hosted zones protected",
+                remediation="Enable Shield Advanced protection for Route 53 hosted zones in the AWS Shield console"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_07.py ADDED Viewed

@@ -0,0 +1,84 @@
+"""
+Check if Shield Advanced is configured for Global Accelerator.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_07(ShieldCheck):
+    """Check if Shield Advanced is configured for Global Accelerator."""
+    def __init__(self):
+        """Initialize Shield Advanced Global Accelerator protection check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-07"
+        self.check_name = "Shield Advanced is configured for Global Accelerator"
+        self.description = ("This check verifies that AWS Shield Advanced is protecting "
+                            "at least one Global Accelerator accelerator.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and filter by Global Accelerator ARNs. "
+                            "Check fails if no Global Accelerator accelerators are protected.")
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for Global Accelerator by checking ResourceArn
+            ga_protections = [
+                p for p in protections["Protections"]
+                if "globalaccelerator" in p.get("ResourceArn", "").lower()
+            ]
+            if ga_protections:
+                protected_count = len(ga_protections)
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:globalaccelerator-protections",
+                    actual_value=f"{protected_count} Global Accelerator accelerator(s) protected",
+                    remediation=""
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="No Global Accelerator accelerators protected",
+                    remediation="Enable Shield Advanced protection for Global Accelerator accelerators in the AWS Shield console"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Global Accelerator accelerators protected",
+                remediation="Enable Shield Advanced protection for Global Accelerator accelerators in the AWS Shield console"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_08.py ADDED Viewed

@@ -0,0 +1,69 @@
+"""
+Check if Shield Response Team (SRT) access is configured.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_08(ShieldCheck):
+    """Check if Shield Response Team (SRT) access is configured."""
+    def __init__(self):
+        """Initialize Shield Response Team access check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-08"
+        self.check_name = "Shield Response Team (SRT) access is configured"
+        self.description = ("This check verifies that AWS Shield Response Team (SRT) "
+                            "access is configured with an appropriate IAM role.")
+        self.severity = "MEDIUM"
+        self.check_logic = "Describe DRT access configuration. Check fails if no role ARN is configured."
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        drt_access = self.describe_drt_access(region)
+        if "Error" in drt_access:
+            error_code = drt_access["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="SRT access not configured",
+                    remediation="Configure Shield Response Team access by associating an IAM role using AssociateDRTRole API"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=drt_access["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif drt_access.get("RoleArn"):
+            role_arn = drt_access["RoleArn"]
+            bucket_count = len(drt_access.get("LogBucketList", []))
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id="shield:srt-access",
+                actual_value=f"SRT access configured with role: {role_arn}, {bucket_count} log bucket(s)",
+                remediation=""
+            ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="SRT access not configured",
+                remediation="Configure Shield Response Team access by associating an IAM role using AssociateDRTRole API"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_09.py ADDED Viewed

@@ -0,0 +1,86 @@
+"""
+Check if Shield Advanced proactive engagement is enabled.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_09(ShieldCheck):
+    """Check if Shield Advanced proactive engagement is enabled."""
+    def __init__(self):
+        """Initialize Shield Advanced proactive engagement check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-09"
+        self.check_name = "Shield Advanced proactive engagement is enabled"
+        self.description = ("This check verifies that AWS Shield Advanced proactive engagement "
+                            "is enabled, allowing the Shield Response Team to contact you directly during attacks.")
+        self.severity = "MEDIUM"
+        self.check_logic = ("Get Shield subscription details and check ProactiveEngagementStatus. "
+                            "Check fails if proactive engagement is disabled.")
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        subscription = self.get_subscription_state(region)
+        if "Error" in subscription:
+            error_code = subscription["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced not subscribed",
+                    remediation="Enable Shield Advanced subscription in the AWS Shield console"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=subscription["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif "Subscription" in subscription:
+            proactive_status = subscription["Subscription"].get("ProactiveEngagementStatus", "")
+            if proactive_status == "ENABLED":
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:proactive-engagement",
+                    actual_value="Proactive engagement is enabled",
+                    remediation=""
+                ))
+            elif proactive_status == "PENDING":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id="shield:proactive-engagement",
+                    actual_value="Proactive engagement is pending",
+                    remediation="Complete proactive engagement setup by providing emergency contacts"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id="shield:proactive-engagement",
+                    actual_value=f"Proactive engagement is {proactive_status or 'disabled'}",
+                    remediation="Enable proactive engagement using EnableProactiveEngagement API and configure emergency contacts"
+                ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="Shield Advanced subscription not found",
+                remediation="Enable Shield Advanced subscription in the AWS Shield console"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_10.py ADDED Viewed

@@ -0,0 +1,100 @@
+"""
+Check if health checks are configured for Shield Advanced protected resources.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_10(ShieldCheck):
+    """Check if health checks are configured for Shield Advanced protected resources."""
+    def __init__(self):
+        """Initialize Shield Advanced health checks check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-10"
+        self.check_name = "Health checks are configured for Shield Advanced protected resources"
+        self.description = ("This check verifies that Route 53 health checks are associated "
+                            "with Shield Advanced protected resources to enable health-based detection. "
+                            "Route 53 hosted zones are excluded as they don't support health-based detection.")
+        self.severity = "MEDIUM"
+        self.check_logic = ("List Shield protections and check HealthCheckIds field. "
+                            "Check fails if protected resources (excluding Route 53 hosted zones) lack health checks.")
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter out Route 53 hosted zones as they don't support health-based detection
+            eligible_protections = [
+                p for p in protections["Protections"]
+                if not ("route53" in p.get("ResourceArn", "").lower() and "hostedzone" in p.get("ResourceArn", "").lower())
+            ]
+            if not eligible_protections:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:health-checks",
+                    actual_value="No resources requiring health checks found (only Route 53 hosted zones protected)",
+                    remediation=""
+                ))
+                return self.findings
+            # Create a finding for each eligible protected resource
+            for protection in eligible_protections:
+                resource_arn = protection.get("ResourceArn", "")
+                protection_name = protection.get("Name", "Unknown")
+                health_check_ids = protection.get("HealthCheckIds", [])
+                if health_check_ids:
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value=f"Health check configured: {len(health_check_ids)} health check(s)",
+                        remediation=""
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=region,
+                        resource_id=resource_arn,
+                        actual_value="No health check configured",
+                        remediation="Associate a Route 53 health check with this Shield Advanced protected resource"
+                    ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Shield Advanced protections found",
+                remediation="Enable Shield Advanced protection for resources and configure health checks"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_11.py ADDED Viewed

@@ -0,0 +1,71 @@
+"""
+Check if Shield engagement Lambda function is configured.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_11(ShieldCheck):
+    """Check if Shield engagement Lambda function is configured."""
+    def __init__(self):
+        """Initialize Shield engagement Lambda function check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-11"
+        self.check_name = "Shield engagement Lambda function is configured"
+        self.description = ("This check verifies that a Lambda function named "
+                            "'AWS_Shield_Engagement_Lambda' exists to automate support case creation during DDoS events.")
+        self.severity = "MEDIUM"
+        self.check_logic = "Check for existence of Lambda function named 'AWS_Shield_Engagement_Lambda' in us-east-1."
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Check for Lambda function in us-east-1
+        region = "us-east-1"
+        function_name = "AWS_Shield_Engagement_Lambda"
+        lambda_function = self.get_lambda_function(region, function_name)
+        if "Error" in lambda_function:
+            error_code = lambda_function["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield engagement Lambda function not found",
+                    remediation=f"Create Lambda function named '{function_name}' to automate support case creation during DDoS events"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=lambda_function["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Lambda API access"
+                ))
+        elif lambda_function.get("Configuration"):
+            function_arn = lambda_function["Configuration"].get("FunctionArn", "")
+            runtime = lambda_function["Configuration"].get("Runtime", "")
+            self.findings.append(self.create_finding(
+                status="PASS",
+                region=region,
+                resource_id=function_arn,
+                actual_value=f"Shield engagement Lambda function exists (Runtime: {runtime})",
+                remediation=""
+            ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="Shield engagement Lambda function not found",
+                remediation=f"Create Lambda function named '{function_name}' to automate support case creation during DDoS events"
+            ))
+        return self.findings

sraverify/services/shield/checks/sra_shield_12.py ADDED Viewed

@@ -0,0 +1,130 @@
+"""
+Check if Shield Advanced protected resources have WAF web ACLs associated.
+"""
+from typing import Dict, List, Any
+from sraverify.services.shield.base import ShieldCheck
+class SRA_SHIELD_12(ShieldCheck):
+    """Check if Shield Advanced protected resources have WAF web ACLs associated."""
+    def __init__(self):
+        """Initialize Shield Advanced WAF association check."""
+        super().__init__()
+        self.check_id = "SRA-SHIELD-12"
+        self.check_name = "Shield Advanced protected resources have WAF web ACLs associated"
+        self.description = ("This check verifies that Shield Advanced protected resources "
+                            "that support WAF (CloudFront distributions and Application Load Balancers) "
+                            "have web ACLs associated for enhanced application layer protection.")
+        self.severity = "HIGH"
+        self.check_logic = ("List Shield protections and check WAF web ACL associations "
+                            "for CloudFront distributions and Application Load Balancers.")
+    def execute(self) -> List[Dict[str, Any]]:
+        """
+        Execute the check.
+        Returns:
+            List of findings
+        """
+        # Shield is a global service, check only in us-east-1
+        region = "us-east-1"
+        protections = self.list_protections(region)
+        if "Error" in protections:
+            error_code = protections["Error"].get("Code", "")
+            if error_code == "ResourceNotFoundException":
+                self.findings.append(self.create_finding(
+                    status="FAIL",
+                    region=region,
+                    resource_id=None,
+                    actual_value="Shield Advanced subscription not found",
+                    remediation="Enable Shield Advanced subscription to protect resources"
+                ))
+            else:
+                self.findings.append(self.create_finding(
+                    status="ERROR",
+                    region=region,
+                    resource_id=None,
+                    actual_value=protections["Error"].get("Message", "Unknown error"),
+                    remediation="Check IAM permissions for Shield API access"
+                ))
+        elif protections.get("Protections"):
+            # Filter for resources that support WAF (CloudFront and ALB)
+            waf_eligible_protections = [
+                p for p in protections["Protections"]
+                if ("cloudfront" in p.get("ResourceArn", "").lower() or
+                    "elasticloadbalancing" in p.get("ResourceArn", "").lower())
+            ]
+            if not waf_eligible_protections:
+                self.findings.append(self.create_finding(
+                    status="PASS",
+                    region=region,
+                    resource_id="shield:waf-associations",
+                    actual_value="No WAF-eligible protected resources found",
+                    remediation=""
+                ))
+                return self.findings
+            # Check each eligible resource for WAF association
+            for protection in waf_eligible_protections:
+                resource_arn = protection.get("ResourceArn", "")
+                protection_name = protection.get("Name", "Unknown")
+                # Determine the correct region for the WAF check
+                check_region = region
+                if "elasticloadbalancing" in resource_arn.lower():
+                    # Extract region from ALB ARN: arn:aws:elasticloadbalancing:region:...
+                    arn_parts = resource_arn.split(":")
+                    if len(arn_parts) >= 4:
+                        check_region = arn_parts[3]
+                web_acl = self.get_web_acl_for_resource(check_region, resource_arn)
+                if "Error" in web_acl:
+                    error_code = web_acl["Error"].get("Code", "")
+                    if error_code == "WAFNonexistentItemException":
+                        self.findings.append(self.create_finding(
+                            status="FAIL",
+                            region=check_region,
+                            resource_id=resource_arn,
+                            actual_value="No WAF web ACL associated",
+                            remediation="Associate a WAF web ACL with this resource for enhanced application layer protection"
+                        ))
+                    else:
+                        self.findings.append(self.create_finding(
+                            status="ERROR",
+                            region=check_region,
+                            resource_id=resource_arn,
+                            actual_value=web_acl["Error"].get("Message", "Unknown error"),
+                            remediation="Check IAM permissions for WAF API access"
+                        ))
+                elif web_acl.get("WebACL"):
+                    web_acl_name = web_acl["WebACL"].get("Name", "Unknown")
+                    web_acl_id = web_acl["WebACL"].get("Id", "")
+                    self.findings.append(self.create_finding(
+                        status="PASS",
+                        region=check_region,
+                        resource_id=resource_arn,
+                        actual_value=f"WAF web ACL associated: {web_acl_name} ({web_acl_id})",
+                        remediation=""
+                    ))
+                else:
+                    self.findings.append(self.create_finding(
+                        status="FAIL",
+                        region=check_region,
+                        resource_id=resource_arn,
+                        actual_value="No WAF web ACL associated",
+                        remediation="Associate a WAF web ACL with this resource for enhanced application layer protection"
+                    ))
+        else:
+            self.findings.append(self.create_finding(
+                status="FAIL",
+                region=region,
+                resource_id=None,
+                actual_value="No Shield Advanced protections found",
+                remediation="Enable Shield Advanced protection for resources and associate WAF web ACLs"
+            ))
+        return self.findings